Merge branch 'develop' of github.com:ampproject/amp-wp into enhanceme…

…nt/2204-default-amp-endpoint

* 'develop' of github.com:ampproject/amp-wp:
  Fix hard-coded SSR tests
  Change string rendition of float numbers for sizers
  Update spec tests
  Ensure iframes in embeds with aspect ratios get responsive layout (#5486)
  Include additional sandbox tokens for converted iframes (#5483)
  Fix alignment for phpcs
  Update dependency sirbrillig/phpcs-variable-analysis to v2.9.0
  Fix PHPStan issue
  Update dependency terser-webpack-plugin to v4.2.3
  Update dependency mini-css-extract-plugin to v0.12.0
  Add issue reference to TODO
  Add expiry to stylesheet cache transients that exceed cache expiry
  Add test to assert stylesheet cache is not autoloaded
  Fix rendering translations in JS (#5461)
  Extract regex into constant
  Add tests for other doctypes
  Fix PSR2.Methods.FunctionCallSignature
  Ensure at least one space after doctype
  Always normalize to use HTML5 doctype

composer.json

@@ -29,7 +29,7 @@
     "phpcompatibility/phpcompatibility-wp": "2.1.0",
     "phpdocumentor/reflection": "~3.0",
     "roave/security-advisories": "dev-master",
-    "sirbrillig/phpcs-variable-analysis": "2.8.3",
+    "sirbrillig/phpcs-variable-analysis": "2.9.0",
     "wp-cli/export-command": "^2.0",
     "wp-cli/extension-command": "^2.0",
     "wp-coding-standards/wpcs": "2.3.0",

includes/sanitizers/class-amp-block-sanitizer.php

@@ -76,10 +76,11 @@ static function ( $class ) use ( &$responsive_width, &$responsive_height ) {
 			// @todo Should we consider just eliminating the .wp-block-embed__wrapper element since unnecessary?
 			// For visual parity with blocks in non-AMP pages, override the oEmbed's natural responsive dimensions with the aspect ratio specified in the wp-embed-aspect-* class name.
 			if ( $responsive_width && $responsive_height ) {
-				$amp_element = $this->dom->xpath->query( './div[ contains( @class, "wp-block-embed__wrapper" ) ]/*[ @layout = "responsive" ]', $node )->item( 0 );
+				$amp_element = $this->dom->xpath->query( './div[ contains( @class, "wp-block-embed__wrapper" ) ]/*[ @layout = "responsive" or @layout = "intrinsic"  ]', $node )->item( 0 );
 				if ( $amp_element instanceof DOMElement ) {
 					$amp_element->setAttribute( 'width', $responsive_width );
 					$amp_element->setAttribute( 'height', $responsive_height );
+					$amp_element->setAttribute( 'layout', 'responsive' );
 				}
 			}
 

includes/sanitizers/class-amp-iframe-sanitizer.php

@@ -22,18 +22,37 @@ class AMP_Iframe_Sanitizer extends AMP_Base_Sanitizer {
 	/**
 	 * Default values for sandboxing IFrame.
 	 *
+	 * | Sandbox Token                             | Included | Rationale
+	 * |-------------------------------------------|----------|----------
+	 * | `allow-downloads`                         | Yes      | Useful for downloading documents, etc.
+	 * | `allow-downloads-without-user-activation` | No       | Experimental per MDN. Bad UX.
+	 * | `allow-forms`                             | Yes      | For embeds like polls.
+	 * | `allow-modals`                            | Yes      | For apps to show `confirm()`, etc.
+	 * | `allow-orientation-lock`                  | Yes      | Since we `allowfullscreen`, useful for games, etc.
+	 * | `allow-pointer-lock`                      | Yes      | Useful for games.
+	 * | `allow-popups`                            | Yes      | To open YouTube video in new window, for example.
+	 * | `allow-popups-to-escape-sandbox`          | Yes      | Useful for ads.
+	 * | `allow-presentation`                      | Yes      | To cast YouTube videos, for example.
+	 * | `allow-same-origin`                       | Yes      | Removed if iframe is same origin.
+	 * | `allow-scripts`                           | Yes      | An iframe's primary use case is custom JS.
+	 * | `allow-storage-access-by-user-activation` | No       | Experimental per MDN.
+	 * | `allow-top-navigation`                    | No       | Poor user experience.
+	 * | `allow-top-navigation-by-user-activation` | Yes      | Key for clicking `target=_top` links in iframes.
+	 *
 	 * @since 0.2
+	 * @since 2.0.5 Updated to include majority of other sandbox values which are included by default if sandbox is not provided.
+	 * @link https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox
 	 *
-	 * @const int
+	 * @const string
 	 */
-	const SANDBOX_DEFAULTS = 'allow-scripts allow-same-origin';
+	const SANDBOX_DEFAULTS = 'allow-downloads allow-forms allow-modals allow-orientation-lock allow-pointer-lock allow-popups allow-popups-to-escape-sandbox allow-presentation allow-same-origin allow-scripts allow-top-navigation-by-user-activation';
 
 	/**
 	 * Tag.
 	 *
-	 * @var string HTML <iframe> tag to identify and replace with AMP version.
-	 *
 	 * @since 0.2
+	 *
+	 * @var string HTML <iframe> tag to identify and replace with AMP version.
 	 */
 	public static $tag = 'iframe';
 

lib/common/composer.json

@@ -16,7 +16,7 @@
     "dealerdirect/phpcodesniffer-composer-installer": "0.7.0",
     "phpcompatibility/phpcompatibility-wp": "2.1.0",
     "roave/security-advisories": "dev-master",
-    "sirbrillig/phpcs-variable-analysis": "2.8.3",
+    "sirbrillig/phpcs-variable-analysis": "2.9.0",
     "squizlabs/php_codesniffer": "^3"
   },
   "suggest": {

lib/common/src/Dom/Document.php

@@ -53,6 +53,13 @@ final class Document extends DOMDocument
      */
     const DEFAULT_DOCTYPE = '<!DOCTYPE html>';
 
+    /**
+     * Regular expression to match the HTML doctype.
+     *
+     * @var string
+     */
+    const HTML_DOCTYPE_REGEX_PATTERN = '#<!doctype\s+html[^>]+?>#si';
+
     /**
      * Encoding detection order in case we have to guess.
      *
@@ -105,8 +112,6 @@ final class Document extends DOMDocument
     const HTML_STRUCTURE_BODY_START_TAG  = '/^[^<]*(?><!--.*-->\s*)*(?><body(?>\s+[^>]*)?>)/is';
     const HTML_STRUCTURE_BODY_END_TAG    = '/(?><\/body(?>\s+[^>]*)?>.*)$/is';
     const HTML_STRUCTURE_HEAD_TAG        = '/^(?>[^<]*(?><head(?>\s+[^>]*)?>).*?<\/head(?>\s+[^>]*)?>)/is';
-    const HTML_DOCTYPE_HTML_4_SUFFIX     = ' PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" '
-                                           . '"http://www.w3.org/TR/REC-html40/loose.dtd"';
 
     // Regex patterns used for securing and restoring the doctype node.
     const HTML_SECURE_DOCTYPE_IF_NOT_FIRST_PATTERN = '/(^[^<]*(?>\s*<!--[^>]*>\s*)+<)(!)(doctype)(\s+[^>]+?)(>)/i';
@@ -646,7 +651,7 @@ private function normalizeDocumentStructure($content)
         $content = "{$htmlStart}{$content}{$htmlEnd}";
 
         // Reinsert a standard doctype (while preserving any potentially leading comments).
-        $doctype = str_ireplace(self::HTML_DOCTYPE_HTML_4_SUFFIX, '', $doctype);
+        $doctype = preg_replace(self::HTML_DOCTYPE_REGEX_PATTERN, self::DEFAULT_DOCTYPE, $doctype);
         $content = "{$doctype}{$content}";
 
         return $content;

lib/common/tests/Dom/DocumentTest.php

@@ -153,11 +153,21 @@ public function dataDomDocument()
                 '<html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
                 '<!DOCTYPE html><html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
             ],
-            'html_4_doctype'                           => [
+            'html_4_loose_doctype'                     => [
                 'utf-8',
                 '<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/REC-html40/loose.dtd"><html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
                 '<!DOCTYPE html><html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
             ],
+            'html_401_strict_doctype'                  => [
+                'utf-8',
+                '<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"><html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
+                '<!DOCTYPE html><html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
+            ],
+            'xhtml_10_strict_doctype'                  => [
+                'utf-8',
+                '<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"><html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
+                '<!DOCTYPE html><html amp lang="en">' . $head . '<body class="some-class"><p>Text</p></body></html>',
+            ],
             'html_with_xmlns_and_xml_lang'             => [
                 'utf-8',
                 '<!DOCTYPE html><html xmlns="http://www.w3.org/1999/xhtml" xml:lang="es">' . $head . '<body></body></html>',

lib/optimizer/composer.json

@@ -17,7 +17,7 @@
     "dealerdirect/phpcodesniffer-composer-installer": "0.7.0",
     "phpcompatibility/phpcompatibility-wp": "2.1.0",
     "roave/security-advisories": "dev-master",
-    "sirbrillig/phpcs-variable-analysis": "2.8.3",
+    "sirbrillig/phpcs-variable-analysis": "2.9.0",
     "squizlabs/php_codesniffer": "^3"
   },
   "suggest": {

lib/optimizer/resources/local_fallback/rtv/metadata

@@ -1 +1 @@
-{"ampRuntimeVersion":"012009112034002","ampCssUrl":"https://cdn.ampproject.org/rtv/012009112034002/v0.css","canaryPercentage":"0.005","diversions":["002009190410000","022009112034002","032009190410000","042009232059000","052009112034002","102009190410000"],"ltsRuntimeVersion":"012008290323004","ltsCssUrl":"https://cdn.ampproject.org/rtv/012008290323004/v0.css"}
+{"ampRuntimeVersion":"012009252320001","ampCssUrl":"https://cdn.ampproject.org/rtv/012009252320001/v0.css","canaryPercentage":"0.005","diversions":["002010010034000","022009252320001","032010010034000","042010082327000","052009252320001","102010010034000"],"ltsRuntimeVersion":"012008290323006","ltsCssUrl":"https://cdn.ampproject.org/rtv/012008290323006/v0.css"}